SCIM provider, error syncing groups: "Input should be a valid string" #15533
Description
Describe the bug
We configure authentik to sync users and group to a invGate installation using SCIM. We configure filter for users and a scim group mapping to filter groups based on attributes (raise SkipObject) if the group don't match the criteria.
The first sync works fine, but after sync all users and groups, the next sync task fail with this error:
{"domain_url": null, "event": "Task failure", "exc": "5 validation errors for Group\nmembers.0.value\n Input should be a valid string [type=string_type, input_value=53, input_type=int]\n For further information visit https://errors.pydantic.dev/2.11/v/string_type\nmembers.1.value\n Input should be a valid string [type=string_type, input_value=54, input_type=int]\n For further information visit https://errors.pydantic.dev/2.11/v/string_type\nmembers.2.value\n Input should be a valid string [type=string_type, input_value=55, input_type=int]\n For further information visit https://errors.pydantic.dev/2.11/v/string_type\nmembers.3.value\n Input should be a valid string [type=string_type, input_value=56, input_type=int]\n For further information visit https://errors.pydantic.dev/2.11/v/string_type\nmembers.4.value\n Input should be a valid string [type=string_type, input_value=57, input_type=int]\n For further information visit https://errors.pydantic.dev/2.11/v/string_type", "level": "warning", "logger": "authentik.root.celery", "pid": 283940, "schema_name": "public", "task_id": "1b8e4b433b46477facc972fe670311db", "timestamp": "2025-07-13T09:30:15.261881"}
The numbers (53, 54, 55, 56 and 57) are the users id in the invGate that belongs to the group to sync. If we call to the invGate SCIM endpoint, we receive this result:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"id": 72,
"members": [
{
"value": 53,
"display": "USER53"
},
{
"value": 54,
"display": "USER54"
},
{
"value": 55,
"display": "USER55"
},
{
"value": 56,
"display": "USER56"
},
{
"value": 57,
"display": "USER57"
}
],
"displayName": "GROUP1",
"externalId": "05c6f450-b1d2-4198-8e04-dad1c85c367e",
"meta": {
"resourceType": "Group",
"created": "2025-07-13T05:58:06+00:00",
"lastModified": "2025-07-13T09:07:28+00:00",
"location": "https:\/\/INVGATE_ENDPOINT\/scim\/v1\/Groups\/72"
}
}
I think that the error is about this .. authentik expects the value field to be a string.
But if we read the 2.0 group schema for scim: https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-20#section-4.2 about group and https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-20#section-3.1 about id field ... is fine .. This scheme does not require the id field to be a string (or I understand this) .. and the schema 22 have the same definition for id fields
So
why authentik (or pydantic library) are forcing about the scim user id must be a string ?
how I convert the result ids to a string to bypass this problem ?
To Reproduce
Configure a SCIM provider thats return ids as integer not string.
First Sync OK
Second sync KO
Expected behavior
Sync works correctly regardless of scim provider id type
Screenshots
Logs
Version and Deployment (please complete the following information):
- authentik version: 2025.06.3
- Deployment: helm
Additional context